CyberWire Daily - Crowdfunding hacktivists and other irregulars. The Molerats have some new tools. Right-to-left override. Arrests in a cryptocurrency money-laundering case.
Episode Date: February 8, 2022Diplomacy continues over the Russian threat to Ukraine. In the meantime, hacktivists and others are said to be receiving crowdfunding through alt-coin remittances. The Molerats are back, and they have... some new tools. Right-to-left override is being seen again in the wild. Vodafone Portugal is taken offline by a cyberattack. Joe Carrigan on Meta’s ten billion dollar privacy hit. Our guest is Greg Otto from Intel 471 to discuss shifts in ransomware strains. And two arrests are made in a money-laundering case connected with the Bitfinex hack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/26 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Diplomacy continues over the Russian threat to Ukraine.
In the meantime, hacktivists and others are said to be receiving crowdfunding through altcoin remittances.
The mole rats are back and they have some new tools.
Right-to-left override is being seen again in the wild.
Vodafone Portugal is taken offline by a cyber attack.
Joe Kerrigan on Meta's $10 billion privacy hit.
Our guest is Greg Otto from
Intel 471 to discuss chips in ransomware strains, and two arrests are made in a Monday laundering
case connected with the Bitfinex hack. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 8th, 2022.
There have been no striking developments in reporting on the cyber aspects of Russia's hybrid war against Ukraine
since Microsoft's descriptions of Actinium's cyber espionage campaign,
but governments around the world remain on alert for a resumption of cyber war that could spill over outside the theater of operations.
that could spill over outside the theater of operations.
Diplomacy has taken center stage,
but there are interesting signs of altcoin remittances funding Ukrainian equipment,
a prospective resistance, and ongoing hacktivism.
French President Macron is in Kiev today for talks with his Ukrainian counterpart,
President Zelensky.
He left Moscow yesterday, the AP reports, saying that he'd received assurances from Russia's President Putin that Russia would neither escalate the conflict nor
station troops permanently in Belarus. It's tempting to see the French and American governments
as taking a good cop, bad cop approach to influencing Russia, with Mr. Biden cast as Starsky, Major Macron as Hutch, and Putin
as the perp. But there's substantial agreement within NATO that Russian aggression against
Ukraine needs to be, if not prevented, at least resisted. German Chancellor Olaf Scholz said,
shortly before meeting U.S. President Biden yesterday, that NATO's response to Russian aggression would be
united and decisive. President Biden said that the Nord Stream 2 pipeline wouldn't be permitted
to go through if Russia moved on Ukraine, the New York Times reports. Chancellor Shultz suggested
that Nord Stream 2 could indeed be held at risk, but he counseled more strategic ambiguity over the pipeline. This presumably would
not only serve deterrence but might also lead to a face-saving formula that would help Russia back
down from an untenable position without more humiliation than is necessary. The sanctions
under preparation, of which an interruption of Nord Stream 2 would be a part, are expected to impose severe, painful
costs on Russia's economy and society should they be imposed. One complication any Russian invasion
of Ukraine would face, especially if Moscow's troops were to be there for the long haul,
is the likelihood of a Ukrainian resistance movement. Kiev has already begun to organize
more than 100,000 civilians
into a reserve militia, capable in principle at least of functioning as irregular resistance
forces. Retired U.S. Admiral James Stavridis writes in a Bloomberg op-ed that a Ukrainian
resistance is likely and merits Western support. Some of that support has been crowdfunded. The blockchain analysis and
cryptocurrency compliance firm Elliptic says that altcoin contributions to Ukrainian groups,
official or unofficial, rose 900% in 2021, reaching a total of $500,000 for the year
and continuing into 2022. Whatever altcoin's debatable promise as an investment might be,
its value in delivering difficult-to-trace remittances across borders has been clear for years.
Some of the contributions have gone to hacktivist groups like the Ukrainian Cyber Alliance.
Elliptic notes that the donations have been going on at a small level
since Russia's 2014 seizure of Ukraine
and increasing dramatically
with rising tension over the Donbass. Quote, shortly afterwards, Russia seized Crimea and
triggered a war in the eastern Donbass region of Ukraine. After decades of corruption and neglect,
the Ukrainian military could not cope and again volunteer groups stepped in. They provided
soldiers, weapons, and medical supplies
to fill the gap. These groups are funded by private donors who have used bank wires and
payment apps to donate millions of dollars. Bitcoin has also emerged as an important
alternative funding method, allowing international donors to bypass financial institutions that are
blocking payments to these groups.
It's not the only kind of funding, but it's increasingly popular, and it's not only non-governmental organizations who benefit, and it's not only private donors who can
move funds in cryptocurrency.
For most of the fundraising campaigns examined in our investigation, cryptocurrencies represented
a small proportion of the funds received.
The majority of donations were received through traditional payment methods,
such as bank wires and online payment services.
However, cryptocurrency has proved to be a robust and increasingly popular alternative.
In some cases, we found that financial institutions had closed accounts belonging to these fundraising campaigns.
This cannot happen with a crypto wallet.
Cryptocurrency is also particularly suited to cross-border donations,
allowing easier access to wealthy overseas donors.
Some of the Ukrainian volunteer groups and NGOs accepting crypto donations
have very close links to the Ukrainian government,
and this adds to a trend of nation
states turning to cryptocurrency as a means of raising funds. Iran is using Bitcoin mining as
a way to monetize its energy reserves, while North Korea is believed to be stealing cryptocurrency
to support its missile development program. Should kinetic war turn irregular,
watch the blockchains for insight into both sides' logistics.
Proofpoint this morning released a report on a Palestinian-aligned group that's using a new, and in this context, unusually complex attack chain.
The researchers track the activity to the long-familiar Mole Rats threat group.
The Mole Rats are using a new implant,
Nimble Mamba, for command and control and data exfiltration. Nimble Mamba replaces Last Con,
which itself was an evolved version of Sharp Stage. Quote, Proofpoint assesses Nimble Mamba
is actively being developed, is well-maintained, and designed for use in highly targeted intelligence collection campaigns.
End quote.
Nimble Mamba executes with guardrails, that is, in a discriminating fashion,
targeting systems only in Israel, Iran, or Arabic-speaking countries in the Middle East and North Africa.
Right-to-left override is an old attack technique going back at least 20 years,
but Vade has observed an increase in its use.
At least 200 attacks using the tactic have been seen over the past two weeks.
The technique uses a non-printing Unicode character to shift the order in which subsequent characters are read.
It's employed to dupe users into executing files with hidden extensions.
to dupe users into executing files with hidden extensions.
Vodafone Portugal said this morning that it was hit last night by an unspecified attack that was intended to cause damage and disruption.
Services are being restored.
The company hasn't attributed the incident to ransomware,
but the record reports widespread internet rumors
based apparently on a priori possibility
and other recent incidents in Portugal,
that that's what the attack was.
The Lapsus ransomware gang, which has been blamed for earlier attacks against media outlets Impressa and Cofina,
hasn't claimed credit for the incident.
As we noted, in the context of the crowdfunding of insurgencies and resistance movements,
the difficulty of the crowdfunding of insurgencies and resistance movements,
the difficulty of tracing cryptocurrencies movement.
But difficult, of course, isn't the same thing as impossible,
as two arrests in Manhattan demonstrate.
The U.S. Department of Justice announced today that, quote, Two individuals were arrested this morning in Manhattan for an alleged conspiracy
to launder cryptocurrency that was stolen during the
2016 hack of Bitfinex, a virtual currency exchange presently valued at approximately $4.5 billion.
The two accused, Ilya Lichtenstein and his wife Heather Morgan, are both New Yorkers,
and they're making their first appearance in court this afternoon. The complaint against them alleges that they used a variety of tools in their attempt to launder the money,
some old-school, like passing funds through business accounts,
others more 21st century, including the assumption of fictitious identities,
automated transfers, chain-hopping, and passing of funds into and out of a variety of dark web accounts.
and passing of funds into and out of a variety of dark web accounts.
The Justice Department wants to make the point that altcoin is not only in principle traceable,
but recoverable as well.
In the Binance case, for example, the announcement says,
Thus far, law enforcement has seized over $3.6 billion in cryptocurrency linked to that hack. A quote. A money laundering conspiracy beef,
Justice says, carries a possible sentence of up to 20 years. But, they caution, the accused are
entitled to the presumption of innocence until they're convicted beyond a reasonable doubt
in a court of law.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The team at security firm Intel 471 recently published research tracking what they describe as a reset of ransomware.
There's no sign of ransomware attacks slowing down, but there have been measurable shifts within the ecosystem of ransomware operators.
Greg Otto is senior cybercrime reporter for Intel 471.
2021 was a pretty banner year for ransomware. Obviously, the big tentpole moment was,
I would even say moments, moments plural, the Colonial Pipeline attack and the attack on JBS as well. And we saw afterwards that the groups responsible for that said that they were going to go dark. And the
underground forums where a lot of these actors operate had a shift where they decided that
they weren't going to let ransomware actors advertise on their platforms. So over a period
in the third quarter of 2021, what we looked at were the
ransomware attacks that we could witness and measure. And we found that the most prevalent
variants from July to September 2021 were LockBit 2.0, Conti, BlackMatter, and Hive. And they made up 60% of the attacks that we measured. One in particular,
particularly LockBit 2.0, they were responsible for one third of the observed attacks that we
ended up measuring. And to be clear, we're not talking about 30 or 40 attacks here. We witnessed
over 600 attacks in the time span from July 2021 to September 2021. So, you know, you're talking
33% of 600. You're talking about ballpark 200, 210 attacks that LockBit 2.0 themselves were
responsible for. Can we go through and kind of compare and contrast these groups? I mean,
you mentioned LockBit 2.0, Conti, Black Matter, and Hive. What do they have in common and how do they set themselves apart from each other?
So I think what they have in common is they really do follow what we really saw as a trend in 2021 and maybe even going back even further back is that, you know, these ransomware as a service crews do not operate in a silo and in order to pull off
a ransomware attack there are a lot of other things in an attack structure that need to happen
and each of them almost has their like separate sub-business almost you're talking about a lot
of people that operate on the cyber crime underground forums forums that i'm sure people
are familiar with like exploit and xss those two examples, but there are a couple others where everybody
will advertise their wares. If you're into these forums, uh, you know, you advertise your services,
whether, uh, uh, it's any part of a ransomware attack, whether it's access brokers selling
access to companies that have been at
crypto services, encryption services that can allow for attacks to be carried out, escrow services
where money can change hands to make sure that there's a guarantee that everybody is keeping
their end of the bargain, so to speak, when it comes to ransomware attacks. A lot of these groups
that we're talking about follow that protocol when it comes to these ransomware attacks. And then also,
once the attacks have taken hold, you'll see a lot of the same operational tactics in terms of
what we call double extortion attacks, where it's, okay, not only have we locked everything up inside
an organization, we've stolen some data and we're
going to dump this data on our hack and leak blogs. We've seen that with a lot of these crews where,
okay, if a organization that has been ransomed isn't going to play ball, okay, we're going to
take the data that we exfilled and we're going to put it up on these quote name and shame blogs
where it's, hey, okay, if you don't want to play ball with us, we're going to take all of this data and dump it out onto the internet. Your competitors are
going to see it. Maybe your stock price gets shorted. We're going to cause you some damage
elsewhere outside of just locking up your business operations. And then we've even seen some of them
go to what we call now a triple extortion, where on top of the two things that I mentioned there,
we now have where these crews
will harass either customers or harass other people inside the business where they might
actually pick up the phone and say, hey, if you don't pay, we're going to make your lives a living
hell, where it's actually to the point where you're talking about physical threats or you're
talking about scaring third parties that a business does business with you
know from a b2b standpoint and they threaten okay well you know if company x isn't playing ball
uh you know we have your contact information company y maybe you're next and um trying to
basically through all of these extortion schemes, scare the first company or organization that was attacked
into paying the ransoms. So we're seeing this consistently throughout ransomware as a service
where they are going above and beyond to try to do whatever they can in order to see these
organizations that are hit pay up. That's Greg Otto from Intel 471. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, one of the things that we track over on Hacking Humans is social media.
And one of the big social media companies has had not a great week or a great time lately.
What's going on here, Joe? It depends on how you define a great week or a great time lately. What's going on here, Joe?
It depends on how you define a great time.
Okay.
Facebook released earnings recently, and their big complaint is that they stand to lose $10 billion this year due to a change that Apple made on the iPhone.
back in April of 2021, Apple enabled iPhone users to choose which apps get to track their behavior by requiring that users opt in to sharing their Apple ad ID. So when this came out, Facebook said,
oh, this is really going to be detrimental to the Facebook experience, which I guess means the
experience of getting revenue, because I don't see how this
actually impacts the Facebook experience itself. The experience of having targeted ads put in
front of you. Right. I mean, because really, Facebook gets to track everything you do on
their platform, right? There's nothing Apple can do to stop that from happening. When Facebook
doesn't have access to this ID,
they can't get access to your other behaviors, right? And that's what Facebook is upset about.
And they say it's going to cost them $10 billion in revenue. So top line of the income statements,
right? Well, that sounds like a lot of money to me. Sure does. $10 billion. We're talking about real money. You know, their annual revenue was, I was looking at the report.
It was like almost $118 billion, almost $118 billion in revenue.
And because of this one change in privacy, they're standing to lose about $10 billion.
Now, I'm not a Facebook shareholder.
I also don't work at Facebook.
I don't own anything.
I have no vested interest in Facebook.
But I think this is worth $10 billion.
The privacy of Apple users is well worth $10 billion in Facebook's revenue.
And, you know, Facebook's stock price certainly took a huge hit.
I have seen people saying it was the biggest hit in stock market history,
the biggest loss in value of any company in stock market history. And this could affect their-
In one day or because I think, okay.
It's like $213 billion, something like that, they lost in value. It was big.
Well, markets tend to run on fear and greed. And when fear comes into play,
stock prices crash. And that might be irrational. So, I mean, I'm not giving out
investment advice. So, read into that what you think. Yeah. Well, but I think what I've seen
some folks pointing out is that Facebook is so reliant on advertising for their revenue that
perhaps some investors are seeing a lack of revenue diversity on their part. And the fact, combine that with the fact that
Facebook isn't not growing. This was the first quarter, I believe, where they did not have growth
of users of the platform, that those combinations led to some skepticism from the investors and a
big hit on their stock price. Absolutely. Absolutely. I don't know, you know, their
growth looking forward, they definitely want to get into other products. They, this whole idea
of the metaverse, you know, the virtual environment, I, you know, I have absolutely no interest in,
in participating in that with Facebook. I would love to participate in that with,
with other companies that might be able to build it. Like maybe Steam or Valve Software is building something like that that is similar and has other virtual
reality things. But when Facebook bought Oculus, I thought, there goes my wanting an Oculus. I
don't want that anymore. I would much rather do this with a company who has other interests rather
than targeting me with ads. Yeah. It's an interesting thing, isn't it? That how much investors are able to overlook when it
comes to criticism of a company, as long as that company is still printing money quarter after
quarter, right? And then when the money slows down or the growth slows down, all of a sudden there's more of an emphasis on the actual operational foundation, the values of the company.
And I guess not surprising, perhaps a little disappointing, but that may be what's playing out here.
Yeah, it may be.
It may be.
Take a look at the stock price.
It did take a big hit.
You know, I have never been a Facebook shareholder because I've had concerns about it.
I just can't bring myself to buy that company.
Oh, and that's fine.
You know, say, hey, you know, yeah, invest in companies you believe in.
I think that should be part of the equation.
This episode of financial advice from Joe and Dave.
Right.
Two people who know nothing about finance.
Do not take our advice on finance.
That's right.
That's right.
All right.
Well, Joe Kerrigan, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.